STE WILLIAMS

Better late than never, Google has confirmed that improved control over location tracking is one of several new privacy features in the next version of its mobile OS, Android Q, due to appear later this year.

It’s an issue that’s been giving Google some grief in the last year as a series of investigations have revealed the way that Android apps – and even perhaps Google itself – furtively track users’ locations.

Currently, location access can be granted or denied on an app-by-app basis. However, there is nothing to stop an app that has been granted that permission continuing to track users’ locations even when it is not in use.

It’s become so controversial that Facebook even announced that it was unilaterally adding location-tracking control to its Android app to head off public concern about its data-gathering behaviour.

From Android Q onwards, apps will no longer be able to do this by default and will need to request background location access. Writes Google VP of Engineering, Dave Burke:

Android Q enables users to give apps permission to see their location never, only when the app is in use (running), or all the time (when in the background).

Will this put the location-tracking controversy to bed? Apart from the fact that many Android devices will not be upgraded to Q (only recent devices are guaranteed to get the latest version), Google’s playing catchup here: Apple’s iPhone has had the same feature since iOS 11 in 2017.

But this important change shouldn’t overshadow a range of other privacy and security features being added to the mix with Q.

Device identifiers

Most Android users have probably never heard of Android’s Advertising ID (AAID), an identifier Google launched in 2013 so advertisers could legitimately track users whilst giving the latter the option to reset (i.e. wipe) the ID as often as they pleased.

Unfortunately, a recent analysis found that some advertisers have been bypassing this system by tracking identifiers that can’t be changed such as Android device ID and IMEI number. Android Q wants to restrict this behaviour:

We’re limiting access to non-resettable device identifiers, including device IMEI, serial number, and similar identifiers.

It will also randomise a device’s hardware MAC address when connecting to different Wi-Fi networks – an Android 9 setting that will become the default.

App-scoped storage

Each app will get its own isolated sandboxed storage when using external media such as SD cards, which no other app will be able to access.

Because files are private to your app, you no longer need any permissions to access and save your own files within external storage. This change makes it easier to maintain the privacy of users’ files and helps reduce the number of permissions that your app needs.

TLS 1.3

Of all the minor tweaks, the addition of support for TLS 1.3 is significant. This is the latest incarnation of the protocol used to set up HTTPS between a browser and websites which adds speed and more privacy in the negotiation phase.

A final unfamiliar aspect of Android Q is that users with Google Pixel smartphones can get hold of beta version 1 this week as an over-the-air downloadable system image (no need to root a device or wait for later builds).

We don’t recommend this for anyone other than developers (stability might be an issue) but it’s interesting that Google is allowing the world to see new Android versions this early.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/if78CGdwap4/

Privacy-conscious web users now have a new way to search in Chrome’s address bar. Version 73 of the browser, released Tuesday, now includes the DuckDuckGo search engine as an option.

Included without fanfare, the feature enables users to search DuckDuckGo by default from the address bar, but they must set this option in the preferences.

DuckDuckGo bases its business model on the idea that advertising needn’t invade users’ privacy. The company still gets its revenues from displaying ads, but it bases them on immediate searches rather than building data profiles of people.

Earlier this month, DuckDuckGo founder Gabriel Weinberg testified before the US Senate Judiciary Committee hearing on GDPR and California’s equivalent privacy legislation, CCPA. He told the Committee:

We simply do not collect or share any personal information at all.

Kudos to Google for taking the plunge, but it is five years late to the party. Safari has supported DuckDuckGo since OSX Yosemite, released in fall 2013, and Mozilla added support in Firefox around the same time.

Google has been getting friendlier with its search rival over the last couple of months. In December 2018 it gave the Duck.com domain to DuckDuckGo. Google had originally purchased that domain as part of another company acquisition and had been redirecting visitors to its own site. Handing it over resolved a lot of confusion for users, said DuckDuckGo founder and CEO Gabriel Weinberg at the time.

DuckDuckGo seemed pleased by this latest news, too:

[twitter https://twitter.com/DuckDuckGo/status/1105886271493337088 align=center]

Why is Google playing so nicely?

One reason could be because the company has been subject to scrutiny by regulators and lawmakers in the US.

On 11 December 2018, its CEO Sundar Picha was forced to defend the advertising and search giant’s privacy practices before the House Judiciary Committee. It is being investigated for its privacy practices in Arizona, and was fined $57m by French privacy regulators in January.

Google is also being investigated for antitrust practices in India, and there have been calls to break up the company by Australia’s News Corp and by US presidential candidate Elizabeth Warren. So anything it can do to show that it supports other search options – and privacy-focused ones at that – helps to stoke an image of openness and privacy awareness that it dearly needs at the moment.

Google needn’t worry too much about people fleeing its search engine. It already supports other search engine options such as Bing and Yahoo search in Chrome, but like those DuckDuckGo is very much an underdog.

DuckDuckGo’s share of the worldwide search engine market jumped from 0.2% in February 2018 to a heady 0.38% last month, putting it a distant sixth behind Google (92.92%), Bing (2.38%), Yahoo! (1.79%), Baidu (1.03%), and Russian search site Yandex (0.55%).

It fares slightly better in the US, coming in fourth with 0.98% of the market as of last month.

How to set your search engine in Chrome

To switch to DuckDuckGo as your default search engine, in the Chrome menu select Preferences, then scroll down to the search engine section. Select DuckDuckGo in the Search engine used in the address bar section.

If you don’t see it, click Manage search engines and select it from the longer list.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/mmubSpyQsjg/

Facebook fell flat on its face on Wednesday, which seems to have led to Telegram having a busy, busy day.

On Thursday, the founder and CEO of Telegram – a popular encrypted messaging app that describes itself as the “more secure alternative” to common messaging apps like WhatsApp – announced that it had picked up three million new users in the past 24 hours: a period that coincided with nearly a day-long, worldwide outage at Facebook.

The outage brought down not only Facebook’s core service, but also its Messenger, Instagram and WhatsApp services. On Thursday, Facebook blamed a misconfigured server:

Yesterday, as a result of a server configuration change, many people had trouble accessing our apps and services. W… twitter.com/i/web/status/1…

—
Facebook (@facebook) March 14, 2019

Telegram CEO Pavel Durov announced the fattening of the user base on his personal Telegram channel. The three million newcomers added to what the service said was 200 million active users as of March 2018.

Of course, we can’t say for sure if the Facebook outage actually caused the 3m user uptick. Maybe the two just happened to coincide. Durov didn’t mention what the typical, non-Facebook-flattened new-user signup rate is. At any rate, in any given week, there are multiple news stories that might cause users to seek out a messaging service that doesn’t suck their data blood like a cyber vampire.

Telegram is a free, encrypted messaging service that’s similar to WhatsApp, except that it doesn’t slurp up users’ data in order to make money from targeted ads. Rather, it runs on user donations.

Durov has insisted that the privacy of Telegram users isn’t for sale. In spite of having known since as early as 2015 that terrorists use the app, the company has resisted governmental pressure to hand over encryption keys. Doing so, Durov has said, would just prompt such users to move to another app.

Eyes wide open

While that’s admirable, Telegram isn’t the be-all and end-all when it comes to secret messaging. It’s had its critics and its glitches. Encryption and security experts have questioned whether Telegram’s encryption is, in fact, better than alternatives.

Telegram has also had its share of vulnerabilities. In August 2016, for example, there was a data leak in Telegram’s MacOS X version. Text that was copied-and-pasted into the app was also written to the file /var/log/system.log, better known as the syslog, creating a sort of ad hoc and unnoticed backup of anything pasted into it.

Just a few days after that leak came to light, news broke about hackers targeting Telegram’s SMS activation to expose activists and journalists – an attack that compromised the accounts of more than a dozen activists, journalists and other people in sensitive positions in Iran.

Then too, in February 2018, researchers uncovered a bug that enabled Telegram to be conned into displaying filenames backwards – a trick that crooks used to display a JavaScript malware executable as an innocuous .png file.

But hey, what can you expect? As Naked Security’s Mark Stockley has noted in the past, it’s software, it’s made by people, it’s used by people, and it’s subject to flaws, super-secret-sauce or no. As Mark puts it:

It might be better than the next best thing, but that’s all it can ever be, better.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/YvqX_O-xhr8/

This week, the Naked Security Podcast tries to figure out where Mark Zuckerberg’s new “Facebook Privacy Promise” is going, and digs into both the technical and community aspects of a recent Chrome zero-day exploit.

With Anna Brading, Mark Stockley and Matthew Boddy. (This week, Duck was away in London giving a dramatic well-informed talk entitled “When the Cloud Attacks“.)

This week’s stories:

• Coders on Freelancer dot com aren’t crash-hot at passwords
• Zuck says Facebook is becoming more “privacy focused”
• Serious Chrome zero-day – Google says update “right this minute”

If you enjoy the podcast, please share it with other people interested in cybersecurity, and give us a vote on iTunes and other podcasting directories.

---

Thanks to Purple Planet for the opening and closing music.

---

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/W8uIs3MnU0U/

Promo Today’s businesses are so heavily dependent on their IT infrastructure that the slightest disruption in service can incur damaging losses.

Full network protection also incurs huge costs, requiring investment not only in hardware and software but also in setting up an IT security department and staffing it with knowledgeable experts.

Fortunately for companies that cannot afford such outlays, cheaper alternatives are available that provide effective network monitoring and ensure that your valuable data is safe.

Polish software house and systems integrator Comarch provides a solution that lifts the administration burden by centralising IT infrastructure monitoring in a single management system.

The company’s Network Operations Center (NOC) is an automated monitoring service that provides organisations with real-time information about the performance of their network, its operating systems and application platforms.

It also has a multilingual team of experienced professionals on hand round the clock to analyse and offer support in the case of unexpected incidents or threats.

Comarch says NOC can be customised to meet businesses’ individual needs and monitoring challenges, so you can use it to complement the capabilities of your own IT department or rely solely on the solution for full business continuity planning and disaster recovery.

For more details, you can download the company’s free leaflet, right here.

Sponsored:
Becoming a Pragmatic Security Leader

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/03/15/comarch_secure_it/

Britain’s Cabinet Office (CO) hasn’t quite bungled the National Cyber Security Programme (NCSP) but it could certainly be doing things a lot better, the National Audit Office said today.

The NCSP is owned by the CO and is the government’s master plan for securing Blighty against ne’er-do-wells and hostile foreign states alike trying to hack and take down critical national infrastructure.

It is a £1.3bn taxpayer funded programme, whose costs were originally pegged at £860m. Other government departments bid for a slice of that cash and spend it on their own infosec initiatives, under the Cabinet Office’s watchful eye.

“Lead departments are largely on track to deliver against their objectives, although funding for the remainder of the Programme is below the recommended level,” said the National Audit Office (NAO) this morning. It added that the CO had not properly planned how it would spend the cash when it originally secured the NCSP’s funding from the Treasury:

“The government used the Strategic Defence and Security Review and Spending Review in 2015 to establish the overall direction of cyber security expenditure and approve individual project business cases. However, when HM Treasury set the funding in 2015 the Department did not produce an overall Programme business case to systematically set out the requirement and bid for the appropriate resources.”

Of the £1.3bn total fund for the NCSP, £100m was added in a loan from the Treasury after the NCSP got under way, while £69m was cut and reallocated to anti-terror work. The NAO acidly commented:

Although these activities contributed to enhancing cyber and wider national security they were not originally intended to be funded by the Programme, and this delayed work on projects such as elements of work to understand the cyber threat.

One of its big successes, according to the NAO, was the creation of the National Cyber Security Centre in 2016, an offshoot of spy agency GCHQ. The NCSC was instrumental in helping the NHS clean up in the aftermath of the Wannacry malware outbreak of 2017.

The Cabinet Office told El Reg it was proud of what it had done so far, quietly glossing over the criticisms of its financial management of the NCSP.

“The UK is safer since the launch of our cyber strategy in 2015. We have set up the world leading National Cyber Security Centre, taken down 140,000 scam websites in the last year, and across government have helped over a million organisations become more secure,” a spokeswoman said. “We recognise that there is always more to do, and are pleased that the NAO has endorsed our plans for the future through their recommendations.”

Ominously, the NAO said: “The Department has ‘low confidence’ in the evidence supporting half of the Strategy’s strategic outcomes, and currently only expects to achieve one by 2021.”

It also added that it had been gagged from telling the public why the Cabinet Office won’t meet its own targets: “For security reasons we cannot report progress against any further strategic outcomes.”

The full report is on the NAO website. ®

Sponsored:
Becoming a Pragmatic Security Leader

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/03/15/nao_national_cyber_security_programme_report/

GandCrab’s evolution underscores a shift in ransomware attack methods.

Don’t be fooled by the drop in overall ransomware attacks this past year: Fewer but more targeted and lucrative campaigns against larger organizations are the new MO for holding data hostage.

While the number of ransomware attacks dropped 91% in the past year, according to data from Trend Micro, at the same time some 75% of organizations stockpiled cryptocurrency. The majority that did also paid their attackers the ransom, according to a Code42 study. Overall, more than 80% of ransomware infections over the past year were at enterprises, as cybercrime gangs began setting their sights on larger organizations capable of paying bigger ransom amounts than the random victim or consumer.

The evolution of the prolific GandCrab ransomware over the past few months demonstrates how this new generation of more selective attacks is more profitable to the cybercriminals using it – and underscores how the ransomware threat is far from over.

“[Ransomware is] not going anywhere anytime soon,” says Adam Meyers, vice president of intelligence at CrowdStrike. “A few years ago, there was DDoS extortion … it went away when no one was paying. But here they are doing ransomware attacks and making good on their demands.”

Meyers says CrowdStrike recently added the GandCrab gang – which it calls Pinchy Spider – as the newest cybercrime group on its watch list of four groups attacking so-called “big game” targets and demanding anywhere from hundreds of thousands to millions of dollars in ransom to unlock their data. The other three cybercrime groups hacking bigger targets with ransomware are Boss Spider, the group behind SamSam; Indrik Spider, the group behind BitPaymer; and Grim Spider, which deploys Ryuk.

“They come in very much like a targeted intrusion attack by China or Iran [nation-states] would. They move laterally and deploy ransomware far and wide across the enterprise, charging a much higher ransom,” Meyers explains. “It’s an evolution in how ransomware is deployed, and it demonstrates how criminal actors have identified that they can make more money targeting enterprises in a way that is fairly devastating.”

Pinchy Spider is best known for its GandCrab ransomware-as-a-service (RaaS) model that offers a “partnership” with its cybercrime customers, who get 60% of the profit and sometimes up to 70%.

The creators of Gandcrab call its RaaS licensing “Dashboard Essential,” where newbie ransomware hackers pay $100 to infect 200 victims during a two-month period, according to a recent study by Sophos.

Chester Wisniewski, principal research scientist at Sophos, says he has seen ransom of $300,000 to $400,000 demanded by Gandcrab attackers. The creators also offer source-code licensing of the malware for $1,200. This allows buyers to make slight changes to the malware so it’s undetectable by anti-malware programs, which Wisniewski says have been mostly effective at snuffing it out. “You can even replace their logo with your logo,” Wisniewski says of the ransomware packaging options.

Ransomware gangs made the transition from opportunistic attacks to more targeted ones, mainly with a little help from Shodan. They typically search for ports with Remote Desktop Protocol (RDP) enabled and open, for example, he says. Then they search for RDPs in IP ranges that show business information they can use to target users in that IP. “The victim selected is slightly targeted, but they need one that belongs to an organization” they want to target, he says.

Once they gain a foothold with the first victim, they move around using standard penetration testing tools. “They act more like pen testers, not using bespoke malware but things like [Windows remote access tool] PsExec and Mimikatz to grab passwords out of memory,” Wisniewski says. “They case the victim while they are in and figure out how they do backups so they can disable and delete them.”

One GandCrab attack in mid-February was especially persistent: After at first failing to infect a computer in the target’s network, the attackers returned to perform reconnaissance on the victim’s network using legit tools Sysinternals Process Monitor, Process Hacker, and LAN Search, according to CrowdStrike, which studied the attack. On the third day of the attack, the attacker manually uninstalled the security software that was blocking its installation of GandCrab; with stolen RDP credentials, the attacker then spread GandCrab to other systems.

Silent SamSam
Meanwhile, the SamSam ransomware gang, aka Boss Spider, has been relatively quiet since the US Department of Justice handed down indictments of two of its operatives, Faramarz Shahi Savandi and Mohammed Mehdi Shah Mansouri, both Iranian citizens, for the ransomware attack against the city of Atlanta last year. “It shut down their operations in the wake of that indictment,” CrowdStrike’s Meyers notes.

The attackers hit some 3,800 workstations and servers with ransomware that locked the city out of its systems and incurred millions of dollars in losses. City officials did not pay the attackers the roughly $51,000 in cryptocurrency to decrypt their systems.

Related Content:

• Georgia’s Jackson County Pays $400K to Ransomware Attackers
• SamSam Ransomware Goes on a Tear
• Enterprise Malware Detections Up 79% as Attackers Refocus
• Security Spills: 9 Problems Causing the Most Stress

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: https://www.darkreading.com/endpoint/ransomwares-new-normal/d/d-id/1334172?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

New JavaScript sniffer is similar to malware used in the Magecart campaign last year that affected over 800 sites.

Criminals using just one line of malicious code have successfully compromised at least seven e-commerce sites and potentially stolen payment card data belonging to thousands of customers of the online stores.

Six of the e-commerce sites are US-based and one, belonging to footwear maker Fila, is based in the United Kingdom. Security vendor Group-IB, which uncovered the attacks, identified the malicious code as a new JavaScript sniffer (JS sniffer) that it has named GMO.

In an alert Thursday, the Moscow-based Group-IB said its researchers first discovered the GMO JS sniffer on Fila UK’s website in early March. The company’s subsequent investigations showed that the malware has been active since at least May 2018 and that six relatively small US e-commerce sites have been affected as well.

Group-IB identified the six sites as forshaw.com, absolutenewyork.com, cajungrocer.com, getrxd.com, jungleeny.com, and sharbor.com. The security vendor pegged the combined total number of monthly visitors to these sites at around 350,000.

Group-IB described GMO as a family of JS sniffers that targets e-commerce sites based on the Magento content management system. The malware is one of at least 38 families of JS sniffers designed to steal payment card data and credentials from online stores. The attackers are injecting the card-stealing code into the sites either via an unknown vulnerability in Magento or by somehow compromising the credentials on the website administrator, Group-IB said.

Once in place, the one-line code downloads the JS sniffer whenever a user lands on the compromised e-commerce website’s checkout page. The sniffer then intercepts any credit card data that is entered into the page, puts the data it into local storage, and then sends it out to a system controlled by the attacker.

The GMO campaign is very similar to but much smaller than one that RiskIQ reported last year where multiple attackers operating under a common umbrella group called Magecart installed lightweight card-stealing malware on some 800 e-commerce sites worldwide, including Ticketmaster UK. In that campaign, the attackers installed the single-line card sniffers on third-party software components on the sites, such as those used for customer support and for sending out push notifications.

Such attacks are especially dangerous because adversaries can adapt it for use against any e-commerce site, Group-IB said.

The GMO campaign as well as the one involving Ticketmaster and other major sites shows that despite their simplicity, JavaScript sniffers are extremely dangerous, says Nicholas Palmer, vice president of international business at Group-IB. Such tools can be used to steal data on thousands of customers. “If underestimated, this threat can lead to additional risks for customers,” Palmer says. “Any e-commerce business around the world is vulnerable to this type of attack,” he says.  And it’s not just online stores that get affected, but also payment systems and banks.

Palmer says that the group operating the GMO JS sniffer malware appears to be relatively new. Even so, it managed to get access to several websites, including Fila, he notes.

Significantly, there are multiple other groups using distinct families of JS Sniffers targeting online stores. In some cases, it is difficult to determine how many people are use a particular sniffer. Every family of JS Sniffers has unique characteristics, some of which are multipurpose and others specific that are designed to target particular content management systems and other third-party software components that e-commerce sites use.

Related Content:

• Ticketmaster Breach Part of Massive Payment Card Hacking Campaign
• Getting to Know Magecart: An Inside Look at 7 Groups
• Why Third-Party Security Is your Security
• 6 Ways Third Parties Can Trip Up Your Security 

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/criminals-use-one-line-of-code-to-steal-card-data-from-e-commerce-sites/d/d-id/1334173?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

On Sunday, police in Mountain View, California, where Google is headquartered, arrested a man who drove more than 3,300 miles from Maine to discuss what he thought was the company’s removal of his YouTube account and the one video he’d posted – one about getting rich quick.

It was not, in fact, deleted by YouTube. It turns out, his wife deleted it, concerned as she was about her husband’s mental state. She told BuzzFeed News that the video, created by 33-year-old Kyle Long, was “rambling” and “bizarre.”

According to a press release from the Mountain View police department (MVPD), Iowa State Patrol on Friday gave them a heads-up about Long’s journey. Iowa police spoke to Long twice that day: once when he got into a collision (without injuries) and then again after he vandalized a restroom at a gas station store a short time later.

Employees at the gas station store didn’t want to press charges, and the collision didn’t warrant Long’s detention, so Iowa police let him go.

Three baseball bats and a serious need to chat

Then, on Sunday, the MVPD got another heads-up. This one came from police in Long’s hometown of Waterville, Maine. Waterville police told MV police that they’d been tipped off about Long having made it to California. They’d also gotten a tip that he intended to resort to physical violence if his meeting with Google execs didn’t go well.

MVPD began to look into the matter …and kept an eye out for Long’s arrival. Officers were stationed in and around Googleplex, and monitoring all the major highways around the city in order to intercept Long before he could step foot on Google’s main campus.

On Sunday afternoon, around 1pm, they spotted Long’s car. When they stopped him, they found three baseball bats.

Family says he’s not violent

That doesn’t mean he meant to hurt anybody, according to his father – Kevin Long – and his wife, Samantha Long.

BuzzFeed News quoted Kevin Long:

All he wanted was to get [the video] back online. Something is wrong with him.

Samantha Long:

Do I think he would have hurt anybody at Google, absolutely not. He was just trying to make the world a better place.

She said that her husband, who’s been diagnosed with bipolar disorder, didn’t want to argue with YouTube about his video being deleted. Rather, he wanted to pitch the content of the video to the company directly. Kyle Long was so convinced that his money-making scheme was solid, he thought it would result in an immediate payout from Google …one that he was sure would be worth a billion.

Samantha Long was on the receiving end of his pre-cross-country pitch:

He made me sit down, and he did a mock presentation to me.

After he got his billion-dollar payout, she said, her husband planned to head down to Mexico with the money.

She tried to talk him out of it. She said YouTube wouldn’t give him any money for his idea.

He dismissed her as being short-sighted. Samantha Long:

You can’t talk Kyle down from anything if he’s got his mind set. He told me that I didn’t know what I was talking about, and that I didn’t have the mind that he has – that I’m not open minded and I’m basic.

Why three bats?

Samantha told BuzzFeed News that there’s a simple, non-scary explanation for the baseball bats: the couple has three kids. The kids play in Little League, Long himself plays in a softball league, and his wife said that she’s sure that the bats were accompanied by baseballs and gloves.

The MVPD arrested Long for allegedly making criminal threats. His car was towed, and as of Tuesday, he was being held on $25,000 bail at the Santa Clara County Jail.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/irH9dtTftRw/

It’s Pi Day – or World Pi Day, if you prefer, or even Universe Pi Day, given that Pi is a universal constant.

As you may remember from school mathematics, Pi is the cool and amazing ratio you get when you divide the distance around a circle by the distance across it – the number comes out identically for every circle, no matter how big or how small.

Quizzically put, it’s Pi that makes bicycle wheels go round and round smoothly, rather than going kerbump, kerbump on a flat spot or gaflop, gaflop on a bulgy bit.

(In mathematics, you’re supposed to use the Latinny word circumference, meaning carrying around, and the Greeky work diameter, meaning measurement across, but it’s the words around and across that matter.)

The Ancient Greeks really struggled with Pi – indeed, they struggled to the point that it’s almost a satirical joke that we now call the constant after a Greek letter, and even write the lower-case Greek letter π to denote it.

Ancient Greek mathematicians were really smart, but they weren’t very open-minded, so they struggled with what we now call irrational numbers.

To the Greeks, numbers of that sort weren’t just irrational, they were unbelievable, inconceivable, impossible, even sacriligeous, so the Pythagoreans simpy denied the possibility that they might exist.

All numbers, they insisted, could be turned into fractions – in other words, they could be represented as one whole number divided by another, like one third (1/3), three quarters (3/4), or all-but-one in a million (999,999/1,000,000, or exactly 0.999999 in decimal notation).

There was no limit to how complicated a fraction could be, but eventually you should, could, would – MUST, insisted the Greeks – find a fraction to represent any possible number.

Fractions considered useful

In the days before modern computers, fractions that came out close to the value of Pi were very useful, because you could work them into calculations using log tables more easily than using a lengthy number in decimal notation.

For example, if you approximate Pi as 3.1416, that’s the same as writing the fraction 31416/10000.

Now, the volume of a sphere is (4πr³)/3, so you could work out the volume of a sphere of radius 176 metres by hand like this:

176m x 176m x 176m x 4 x 31,416 / 10,000 = 68,509,197m3

Accurate to 2 parts in a million.

Dividing by 10,000 is easy – just chop off four digits at the end – but that five-digit multiplication by 31416 is a real headache, especially if you decide to do it exactly using long multiplication.

(No video showing above? Watch on YouTube.)

But the fraction 22/7, coming out at approximately 3.1429, is good enough for calculations to within 0.1%.

If you use 22/7 instead of 3.1416, you get an easy multiplication followed by a single-digit division, which is easier overall than a five-digit multiplication:

176m x 176m x 176m x 4 x 22 / 7 = 68,536,612m3

Accurate to 4 parts in 10,000.

22 = (10+1)×2, so to multiply N by 22 you can just add a zero to N in your head for the multiplication by 10, add the original N back into the result to get 11N, and then double it for 22N.

Another popular fraction for Pi when more accuracy is needed is the easily-memorised 355/113.

This approximation of Pi was widely taught in schools and engineering colleges – despite its simplicity, it comes out at 3.14159292, a number that differs from the decimal expansion of Pi only at the seventh decimal place:

176m x 176m x 176m x 4 x 355 / 113 = 68,509,043m3

Accurate to 1 part in 10 million.

Fractions always imperfect

No matter how hard you try, you’ll never find a fraction that exactly represents Pi, because there isn’t one.

You can get really close, for example by drawing a polygon that fits exactly inside a circle and then increasing the number of sides of the polygon until you can’t even see the tiny segments that are between the polygon and the circle.

You’ll never quite get to the true value of Pi, however, because there will always be some teeny parts at the edge of the true circle that you haven’t covered up.

You can’t get downwards to Pi from the outside of the circle, either.

You can try, by drawing polygons that just skim the outside of the circle, and the distance around your polygon will decrease every time you make it more accurate by adding more sides.

But even though you’re now homing in on Pi from above, you’ll never have a true circle or finish calculating its true circumference.

Simply put: Pi is trivial to describe and even to define, but it’s impossible to write down its value, no matter how many sides your polygon has, how complicated your fractions become, or how many decimal digits you churn out.

This drove the Ancient Greeks crazy – in fact, there’s a legend that says the mathematician Hippasus was deliberately drowned to stop him revealing a dreadful secret he’d proved, namely that the square root of 2, just like Pi, could never be turned into a fraction.

A troubled history is no discouragement

As you can imagine, the troubled history of irrational numbers, and the fruitlessness of trying to calculate them to a conclusion, hasn’t stopped computer scientists from working on Pi.

Indeed, just in time for Pi Day 2019, Emma Haruka Iwao, a software engineer from Seattle in Washington, cranked our a world record 10 Pi trillion decimal digits of the famous number:

BEST. #PiDay. EVER.

See how Seattle-based, Googler @Yuryu, used Google Cloud to calculate 31.4 trillion digits of… twitter.com/i/web/status/1…

—
Google Developers (@googledevs) March 14, 2019

Just to be clear, that’s an American trillion, where the tri- refers to the act of multiplying a base number of 1000 by another 1000 three times, for 1000×1000×1000 × 1000, or 10¹². In British trillions, now rarely used in the Anglophone world, the tri- means the act of multiplying a base number of 1 by 1,000,000 three times, for 1,000,000 × 1,000,000 × 1,000,000, or 10¹⁸. The full number in this case was 31,415,926,535,897 decimal digits long.

So, there you have it!

Pi, figured out to way more precision than you could ever need, but still without the perfection you get just by writing the single letter π.

What to do?

There is a cybersecurity story in here – two, in fact.

• Precision can’t always be achieved. So never, ever pretend to be precise when you aren’t. As a programmer, be very careful that you don’t churn out and present answers that give a false sense of security or correctness.

We’ve written before, for example, about mobile phone networks and mapping apps that, when faced with computer geolocation data that is no more precise than “somewhere in the continental USA”, insist on giving GPS co-ordinates that accurately locate the geographic centre of the country.

They recklessly – and dangerously! – turn raw data that says, “We literally have no detail about where to look” into allegedly precise information that insists, “We took an average of sorts, and now, by magic, we know exactly to within 10 metres.”

Apparently, the geocentre of the USA is a farmhouse in Kansas whose residents are understandably tired of being “pinpointed” precisely for crimes they didn’t commit, spam they never sent, orders they never placed, phones they’ve never owned, meetings they never called.

• Write dates sensibly in your logs. Follow the RFC 3339 standard for date and time on the internet. Writing Month Day, Year, as North Americans do, is a dreadful practice in logs because the format is hard to read and doesn’t sort easily.

We’re stuck with having Pi Day on March 14, as it’s called in North America, using the weird North American data format, because it’s the only way to get 3.14 to look like a date – if 14 were to denote the month, Pi Day could never exist.

However, RFC 3339 urges you to write dates and times consistently, using an unambiguous format that, when sorted alphabetically, automatically ends up in chronological order.

Simply put, if you wanted to denote 4pm on this year’s Pi day in the city of Amsterdam, you’d say something like this:

2019-03-14T15:00:00.000Z

Write the year in the Christian Era, always with all four digits; then the month and day with leading zeros; then a handy T as a separator; then the time using the 24-hour clock, with a consistent number of fractional digits; and finally Z to indicate Zulu time, meaning you’ve got rid of any pesky timezone by converting to Universal Time Co-ordinated (UTC).

Technically, RFC 3339 allows you to include an explicit timezone (e.g -8 or +10) instead of converting to Zulu time, but we urge you always to convert and always to use the Z marker to say so.

When it comes to data and timestamps: say what you mean, and mean what you say.

Happy #PiDay!

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/ZlG6pjBHzt0/